As Australians contemplate whether to opt out of My Health Report, it’s been revealed the private health sector had the highest rate of data breaches last quarter.
The Office of the Australian Information Commissioner (OAIC) has released its second Notifiable Data Breaches Quarterly Statistics Report for the three-month period ending 30 June which shows a total of 242 breaches were reported.
Health service providers accounted for 49 of these, then finance (36) and legal, accounting and management services (20).
Notifications made under the My Health Records Act 2012 are excluded from these quarterly reports as they are subject to specific notification requirements set out in that Act.
Across all sectors, malicious or criminal attack was the main source of the breach (59%), followed by human error (35%) and system fault (5%).
“Malicious or criminal attacks differ from human error breaches in that they are deliberately crafted to exploit known vulnerabilities for financial or other gain,” the report states.
“Attacks included cyber incidents such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means, as well as social engineering or impersonation and actions taken by a rogue employee or insider threat.”
Most human error stuff-ups included not using the BCC: field when sending email to multiple recipients, losing paperwork or data storage devices, insecurely disposing of documents, and sending information to the wrong recipient by email or traditional ‘snail’ mail.
The majority of cyber incidents were linked to the compromise of credentials through phishing (29%), brute-force attacks (1%) or by unknown methods (34%).